Report: Election Systems' Hacks Far Greater Than First Realized

Russian hackers struck election systems in almost twice as many states as previously reported, according to Bloomberg News, which reports that 39 states were affected. Voter registration systems were among those hacked.

In one instance, investigators uncovered evidence that the attackers tried to delete or modify voter information in an Illinois voter database, which contained names, dates of birth, gender, driver's license numbers and partial Social Security numbers on 15 million people, half of whom were active voters, according to the news report. As many as 90,000 records were ultimately compromised in Illinois, states the report, which cited three unnamed people with direct knowledge of the U.S. investigation.

In an unclassified version of a top-secret report released in January, the U.S. intelligence community said that Russian President Vladimir Putin ordered an influence campaign aimed at undermining public faith in America's democratic process and preventing Hillary Clinton from being elected president (see Intelligence Report Blames Putin for Election-Related Hacks).

Loss of Confidence

"The threat mainly comes from the potential for the loss of confidence in the results than the threat of manipulating the results themselves," says former White House Cybersecurity Coordinator Michael Daniel. "It would be extremely difficult to actually change the outcome of an election on a statewide or national scale. You would have to know in advance where the close districts would be, flip only just enough votes to change the outcome, but not so many that you get noticed. It is far easier to try to undermine confidence by going after voting registration rolls, for example."

Herb Lin, senior research scholar at Stanford University's Center for International Security and Cooperation, says breaching voter registration systems, which are managed state by state, is the most serious threat to the U.S. electoral system.

"Each state has a single public-facing voter registration database, and selective manipulation or alteration of voter registration records could throw elections into public chaos or clandestinely suppress enough voters to change the outcome of close elections," Lin says.

Stewart Baker, former assistant secretary for policy at the Department of Homeland Security, says states, with the help of the federal government, should avoid dependence on electronic systems. "Voting systems were largely designed without heavy reliance on IT, and we should be very skeptical of efforts to switch to digital systems," Baker says. "Paper ballots, perhaps scanned but still available for recounts, backup of all vote and count data as well as voter registration data are all measures we should adopt. The fact is that digital systems will probably never be secure enough for a process that is as tempting a target for our adversaries as voting."

Illinois Seen as "Patient Zero"

Bloomberg characterizes Illinois' electoral system as "patient zero" in the government's probe that led investigators to discover a "hacking pandemic that touched four out of every five U.S. states. Using evidence from the Illinois computer banks, federal agents were able to develop digital signatures - among them, internet protocol addresses used by the attackers - to spot the hackers at work."

The Department of Homeland Security shared the signatures with all states. Thirty-seven states reported finding traces of the hackers in various systems, one of the people familiar with the probe told Bloomberg. In Florida and California, investigators found those traces in systems run by a private contractor managing critical election systems, Bloomberg reports.

Lin sees compliance with a cybersecurity checklist as insufficient to protect election systems. "Though it is a place to start but I fear that this is the dominant practice among most users of information technology, state governments included," he says.

Penetration Testing

"The best way to test security is to subject it to a white-hat penetration team that can operate in an unconstrained manner and conduct its tests unannounced," Lin says. "Every state should insert 100 fake voter registration records and challenge their penetration testers to delete or alter these records, and a measure of success would be how many records the penetration tests could affect."

Daniel suggests defending state election systems against hacks from Russia and other nation-states won't get easier unless more is invested in security. Also, he says the shortage of cybersecurity professionals at the state level hinders the defense of election systems.

"It is also a matter of time and focus - election officials are busy people," says Daniel, president of the Cyber Threat Alliance, a not-for-profit information sharing and analysis organization. "We also need to broaden the focus beyond worrying about the security of just the voting machines, although those are important. We need to look at the full array of what makes up the electoral infrastructure, from voter registration rolls to election night reporting, not just the voting machines, and make risk-informed decisions about where to invest additional resources."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.